Florida Digital Bill of Rights: Florida Adds Data and Privacy Security Act
Monday, June 26, 2023
Florida Joins Growing List of States with Data Privacy Laws
Print Mail Download i

Florida has joined the ranks of the states adding a groundbreaking Data Privacy and Security Law, effective July 1, 2024. 

Embedded in the Technology Transparency Act are the “Digital Bill of Rights,” several provisions regarding consumer data and controllers who collect consumer data, specific requirements for controllers to comply with consumer requests including an appeals process, privacy notices, requiring certain persons to receive consumer consent before engaging in the sale of sensitive personal data and providing for civil penalties.  

Notably, there is NO private cause of action.  

The Digital Bill of Rights (Fla. Stat. 501.701) includes:  

  • The right to control personal data, including the right to confirm, access, and delete your personal data from a social platform;  

  • The right to know that your personal data will not be used against you when purchasing a home, obtaining health insurance, or being hired;  

  • The right to know how internet search engines manipulate search results;  

  • The right to opt out of having personal data sold; and  

  • The right to protect children from personal data collection. 

This law directly impacts Big Tech!  

It focuses on controllers, which are defined generally as a for profit legal entity that conducts business in Florida, collects personal data about consumers, determines the purposes and means of processing personal data, makes in excess of $1 billion in global gross annual revenues and satisfies one of three additional criterion: derives 50% or more of its global gross revenues from the sale of advertisements online, operates a consumer smart speaker and voice command component, or operates an app store.  

A brief overview of the new law: 

Submitting Consumer Requests 

A controller shall establish two or more methods to enable consumers to submit a request to exercise their consumer rights under this part. The methods must be secure, reliable, and clearly and conspicuously accessible. 

Comply with Consumer Requests 

A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. If a controller cannot take action regarding the consumer’s request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instructions on how to appeal the decision. 

A controller shall provide information or take action in response to a consumer request free of charge, at least twice annually per consumer. But…if a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. 

Waiver or Limitation of Consumer Rights Prohibited  

Any provision of a contract or agreement which waives or limits in any way as described by s. herein is contrary to public policy and is void and unenforceable. 

Consumer Privacy Notice 

A controller shall provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information: 

(a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller. 

(b) The purpose of processing personal data. 

(c) How consumers may exercise their rights, including the process by which a consumer may appeal a controller’s decision with regard to the consumer’s request. 

(d) If applicable, the categories of personal data that the controller shares with third parties. 

(e) If applicable, the categories of third parties with whom the controller shares personal data. 

(f) A description of the methods by which consumers can submit requests to exercise their consumer rights under this part. 

Sale of Personal Consumer Data

If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”  

If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: “NOTICE: This website may sell your biometric personal data.” 

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process. 

Civil Penalties (with a 45-day cure period allowed) 

A violation of this part is an unfair and deceptive trade practice actionable under part II of this chapter solely by the Department of Legal Affairs. 

In addition to other remedies under part II of this chapter, the department may collect a civil penalty of up to $50,000 per violation.  

After the department has notified a person in writing of an alleged violation, the department may grant a 45-day period to cure the alleged violation and issue a letter of guidance. 

Florida has now joined Indiana, Tennessee, Montana, and Washington in passing major privacy bills THIS YEAR ALONE!

© 2024 Troutman Amin, LLP

Current Legal Analysis

More from Troutman Amin, LLP

NO ARBITRATION FOR LEAD BUYER: Consent Form Naming Buyer Does Not Give Buyer Right to Enforce Arbitration in TCPA Class Action
by: Eric J. Troutman
ACRONYM ACRIMONY: FCC Classifies Royal Tiger as a C-CIST And That’s a Really Bad Thing
by: Eric J. Troutman
IF YOU SELL MEDICARE SUPPLEMENTAL OR ADVANTAGE INSURANCE PLAN THROUGH TELEMARKETING: You May No Longer Do So in Mississippi
by: Angelika Munger
$35MM GODADDY TCPA SETTLEMENT EXPLODES (PART 2):”We Emphasize That We Think That the Sort of Strategy Employed by [GoDaddy and Class] Counsel has No Place in the Federal District Court.”
by: Eric J. Troutman
$35MM GODADDY TCPA SETTLEMENT EXPLODES (PART 1): Appellate Court Finds Probable “Collusion” Between Class Counsel and GoDaddy Lawyers in TCPA Class Settlement–Deems Class Counsel “Inadequate” To Represent the Class
by: Eric J. Troutman
NO LOVE: Fuego Leads Stuck in TCPA Class Action After Allegedly Authorizing Calls into Virginia
by: Eric J. Troutman
CIPA Claims Don’t Always Travel Well
by: John H. Henson
Perrong Loses Massive ATDS Ruling: Third Circuit Court of Appeal Rejects Fn7 Argument and Follows Borden in Unpublished TCPA ATDS Ruling
by: Eric J. Troutman
NO IMMUNITY FOR GOVERNMENT ROBOCALLS: Trump-Appointed Judge Destroys Personal Immunity for Seemingly Official Acts in TCPA Suit and There Seems to Be More Here Than Meets The Eye
by: Eric J. Troutman
HUGE TCPA ATDS WIN: Second Circuit Joins Ninth in Concluding Only Systems That Randomly Generate Telephone Numbers Trigger TCPA Definition
by: Eric J. Troutman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins